Open in app

Sign in

Write

Sign in

CIA loses Chinese and Russian spies

Lee arrested for somehow enabling this

thaddeus t. grugq
9 min readJan 22, 2018

A former CIA Case officer, Jerry Chun Shin Lee, has been arrested and charged with possessing classified material. Further, authorities have implicated Lee in the dismantling of both Chinese and Russian spy networks with at least 20 people (assets, in intel speak), captured and executed. I don’t have any answers, but this post raises the questions I have about the case and tries to figure out what is going on. If nothing else, it seems like the CIA is really not winning awards for “strongest asset security.”

[Support more analysis like this.]

Strange going’s on

If Lee was a critical asset to the Chinese in 2007 (after he left the CIA) then why was he being placed at risk by aiding cigarette smugglers? This is a gross violation of operational security — one law at a time. Indeed, it is his alleged spying for China to aid cigarette smugglers which caused the FBI to investigate him. No competent espionage service would jeopardize the security of a high value asset by exposing them for something as petty as cigarette smuggling. Here is a guy who can hand over, at a minimum, a number of known assets within China. That is far more valuable than any revenue from cigarette smuggling. His conduct at JTI was so blatant that they fired him for it, and probably tipped off the FBI as well.

Interestingly his accusations against JTI that they were violating the laws of China and Hong Kong suggests that his allegiance was already with the Chinese. Why else would he care about violations of Chinese law? He spent two decades convincing people to violate the laws of the countries they lived in, it is unlikely that he’d care about Chinese law. An alternative might be simply that the departure was so acrimonious that the squabbled devolved into accusations of illegal conduct.

There is a three year gap from when Lee leaves the US until China discovers the covcom compromise trick. This trick needed only access to a single asset’s laptop to compromise covcom for both China and Russia. This violates a number of rules of spycraft, including not keeping incriminating evidence (the covcom app), and using the same mechanism in multiple “hard target” countries. The compromise of covcom for one Chinese asset should not compromise other Chinese assets, let alone Russian assets! This is a massive compartmentation failure. I find it hard to believe this was actually how the CIA operated.

Lee’s notebooks indicate that he used face to face meetings, that he was not using covcom for collection, and that he was following established espionage tradecraft. During a meeting, establish a series of scheduled future meetings with locations and fallback dates. This is evidenced by his datebook content. This method of managing asset meetings is well established as secure and not possible to penetrate once in place.

Timeline of events

  • 1994: Lee joins CIA as a Case officer, receives regular field officer training
  • 2007: Lee quits CIA (allegedly) upset his career plateaued
  • 2007: Lee joins Japanese Tobacco International (JTI) on the Brand Integrity Team — Involved in investigating counterfeiting and smuggling Source
  • 2008: JTI becomes suspicious Lee is spying for PRC
    — Investigations, operations, etc, fail in weird ways once he learns details of them
    — A JTI investigator is arrested and jailed
    — JTI executives state that Lee’s behaviour and demeanour confirm their suspicions
  • 2009: Lee is fired from JTI. He accuses them of breaking Chinese and Hong Kong law, they claim an investigation proves those allegations are false
  • 2010: Lee forms FTM International with an HK ex-police officer as the director and secretary (ie the minimum requirements for a HK company)
  • 2010: PRC begins arresting CIA assets
  • 2010/11: PRC has training session with Russia, teaches them their CIA asset hunting trick
  • 2010/11: Russia reports that the technique has been very successful
  • 2012: CIA halts all HUMINT operations in PRC until they can figure out what is going wrong
  • 2012: PRC stops arresting CIA assets. 20 US spies have been killed
  • 2012: the FBI is tipped off that Lee was fired from JTI over suspicion of spying for PRC
  • 2012: Lee moves from HK to the US, via Honolulu
    — FBI black bags his room, discovers two notebooks of classified info
    — datebook: this contains asset true names names, meeting dates and locations, operational phone numbers
    — address book: this contains asset true names, phone numbers, and names and phone numbers for other CIA officers
    — FBI black bags him again in CONUS, he still has the notebooks
  • 2013: FBI interviews Lee multiple times, nothing comes of it
  • 2013: Lee returns to HK
  • 2013: a CIA officer is arrested in Russia. he has written instructions to a recruit telling them to purchase a new tablet or laptop, setup an anonymous gmail account, email a specific Gmail account to confirm working with CIA. Source
  • 2013: Lee joins Estée Lauder. Source
  • 2014: Lee shuts down FTM International
  • 2014: German intelligence officer arrested for spying for the CIA
  • 2015: Lee leaves Estée Lauder
  • 2015: Lee joins Christie’s auction house as in a senior physical security role
  • 2018: Lee flies back to the US, surprising the FBI, who arrest him for possession of classified material (his datebook and address book photographed in 2012)

Compromised COVCOM

Speculation is that Lee perhaps aided the Chinese in compromising the covert communications channel used by assets. The number of assets arrested exceeds what Lee knew, and the Russia assets compromise apparently cannot be linked directly to him.

CIA officials disparage the sophistication of the covcom in service at the time, saying that counterintelligence officers would only need access to a single agents laptop and they’d compromise the whole thing.

A hint at what might be used was from the 2014 arrest of a German spy. he had been spying for the CIA since 2012. He communicated with his handlers using a weather app on his laptop that became a communications tool when the location was set to New York. Source

For the last two years, he has been sending documents to the Americans electronically once a week, according to Bild newspaper.
In a damning piece of evidence, investigators said they had found an encrypted communication programme hidden on his computer.
The hidden programme was disguised as a weather app, and activated by searching for a weather forecast for New York.
The arrested man was able to carry on most communications electronically, but met with an American contact in Austria on two or three occasions, when he received payments of €25,000 in cash. — Source

If this was the improved system, one shudders to think what the original system was.

What is Lee’s role in this?

It’s hard to determine what Leeks role was in this Chinese and Russian counterintelligence success. Given how limited the data is, always a problem with counterintelligence investigations, we can only speculate based on third hand information. Still, there are a number of factors which don’t make sense.

Compartmentation would have restricted the number of assets and operations that Lee knew about. There is no way that he provided incriminating evidence against 20 people in China and some number in Russia (“No single officer had access to all of them,” one official said.”). That would imply such a gross violation of security rules that it is impossible to believe. Additionally, the SIGINT data from Russia suggests that they were using a technique they learned from the Chinese. That suggests it was a technical compromise or penetration, rather than a CIA mole informing on assets. Source

Soon after the task force concluded the Chinese had penetrated covcom, it got an even more troubling report: That after a joint training session between Chinese and Russian intelligence officers, the Russians “came back saying we got good info on covcom,” as the former official put it. — Source

Was Lee’s cooperation critical to breaking the covcom in place at the time? Not necessarily, according to two intelligence officials.

two former officials said the CIA’s system for exchanging messages with its agents was shockingly primitive and subject to easy penetration by the Chinese.
“All they had to do was get one agent’s laptop, and they could figure it out,” one former official said. — Source

Given the way that he was placed at risk of exposure (aiding cigarette smugglers) at the exact time when he would’ve been of maximum value to the Chinese security services it’s difficult to reconcile Lee’s actions with his alleged critical value to Chinese counterintelligence. The logical assessment is that Lee was not actively working for the Chinese security services at this point. They would not have allowed him to risk exposure by engaging in illegal activity, but most especially they would not have jeopardized him by acting on his cigarette smuggling information. It was the correlation of the cigarette investigation failures and Lee’s knowledge of them which caused JTI to grow suspicious and ultimately fire him for being a Chinese spy. it is entirely possible that they informed the FBI as well. The Chinese would have known the inherent dangers of using an ex CIA case officer with TS//SCI knowledge for something as trivial as cigarette smuggling.

A late start, maybe?

The next possibility that is that Lee began cooperating with the Chinese in 2010, after he left JTI And was running his own company. At this point in time he has a family to support, Hong Kong is not the cheapest city, and so maybe he starts to give up some data for cash. The Chinese use that information to begin arresting spies (which started in 2010) and from there learn about the covcom technique and their counterintelligence investigation expands.

This theoretical scenario fits the small number of facts we know, however it raises questions about CIA competency. If the information Lee provided was about covcom, then why was it useful for China three years after he left CIA? Why were they using the same system? How did a field officer know sufficient technical details about the covcom system to provide actionable intelligence? If the allegations that a single asset’s laptop was sufficient to compromise the system (if they used the same out as the German spy, then that seems plausible) then Lee gave up his assets and their arrest provided the information necessary to locate others.

Again, this raises issues of CIA competency as there is no reason a spy in a hard target country should be in possession of incriminating evidence (such as a spy app), on their personal computer (can’t exactly deny that connection), further there is no explanation for why a system was in place for so many years unchanged, but worst of all — the lack of compartmentation is damning. A single compromised spy in China should not jeopardize any other Chinese assets, and there is absolutely no excuse for that failure to spread to Russian assets as well.

When the CIA gets covcom wrong, people die. The allegations in the NBC article imply that the CIA violated basic laws of spycraft — compartmentation; using technology that was inadequate for the job; requiring spies to possess incriminating evidence; failing to update their procedures years after a disgruntled employee quit, stayed in the area they were working, and who was later implicated in spying for China and being sympathetic towards Chin — all red flags.

Speculation on incomplete information

Theory one
Based on the timeline and actions of the individuals and agencies involved I assess that Lee was not cooperating with the Chinese security services in 2007. He may have been engaged in corruption involving cigarette smuggling, but he was not actively breaking his oath. By 2010 something changed and Chinese counterintelligence become much more effective. They learned how to identify covcom traffic and share this information with Russia. Russia also has success with this technique.

It is possible that Lee sold out the assets he personally handled and a thorough investigation of the possessions of those spies was sufficient to compromise covcom. After a few years of debriefing Lee, China no longer needs him and he attempts to flee the country (returning to the US), which exposes him to FBI counterintelligence investigators. They find that he kept some classified data. He denies any wrongdoing (this is a trained case officer, surviving interrogations is what he was trained to do.) Fast forward five years and he’s arrested for possessing classified material.

Theory two
Lee is innocent of selling out his assets to China. Chinese counterintelligence security forces gained access to his notebooks the same way the FBI did, via a black bag job, or they simply get lucky and catch a spy on their own. From here, it’s much the same as theory one where Lee’s knowledge is not relevant to further counterintelligence success because the CIA’s failure at spycraft security damned their spies. This was the same time period when Hezbollah rolled up a CIA spy network where the covcom was literally sending assets one SMS a month (“PIZZA!”) to a dedicated burner mobile phone, telling them to go to the same meeting place they used for all asset debriefings — the only Pizza Hut in town!

Conclusion?

I can’t tell what is going on or what to think. The narrative that is being pushed doesn’t make sense given the data available. Maybe there is additional secret information which is more damning of Lee. From the available evidence it looks like the main screwup here was CIA spycraft.

Operational Security
CIA
Spycraft
Tradecraft
Espionage

--

--

thaddeus t. grugq

Written by thaddeus t. grugq

29K Followers

Information Security Researcher :: https://gru.gq :: keybase.io/grugq :: https://www.patreon.com/grugq

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams